Re: DMZ Question
- From: Chuck <none@xxxxxxxxxxx>
- Date: 26 Aug 2005 12:04:03 -0500
On Fri, 26 Aug 2005 12:14:51 -0400, Lem <*email_address_deleted*> wrote:
>Chuck wrote:
>
>> On Thu, 25 Aug 2005 17:35:12 -0400, Lem <*email_address_deleted*> wrote:
>>
>> >Chuck wrote:
>> >
>> >> On Thu, 25 Aug 2005 15:22:31 -0400, Lem <*email_address_deleted*> wrote:
>> >>
>> >> >If a PC is in a router's "DMZ," and thus has a public IP address, can
>> >> >any of its resources (printers and files) be shared by computers on the
>> >> >LAN? And as a corrolary, if computers on the LAN can share those
>> >> >resources, can those resources be protected from use by anyone anywhere?
>> >>
>> >> Lem,
>> >>
>> >> If a computer is in the same subnet as the other computers, then it can share
>> >> resources with the other computers. DMZ or no.
>> >>
>> >> The DMZ simply makes the IP ports on the DMZ computer(s) available to the
>> >> Internet as a whole. Including file and printer sharing, if there's not a
>> >> properly setup firewall on the computer(s) in the DMZ.
>> >>
>> >> I don't think that this is a Windows XP topic, though, so maybe it would be
>> >> better asked in Comp.Security.Firewalls, or in Microsoft.Public.Security. Might
>> >> be more experience there.
>> >>
>> >> BTW, Lem, posting your email address openly will get you more unwanted email,
>> >> than wanted email. Learn to munge your email address properly, to keep yourself
>> >> a bit safer when posting to open forums. Protect yourself and the rest of the
>> >> internet - read this article.
>> >> <http://nitecruzr.blogspot.com/2005/05/how-to-post-on-usenet-and-encourage.html#Munging>
>>
>> >You're right, this is not really a Windows question, although it's based on a system running
>> >WinXP. I understand that putting a computer in a router's DMZ exposes its ports to the
>> >Internet. In the system I was looking at, the router accomplished this exposure by assigning
>> >the DMZ computer a public IP address (64.252.xxx.xxx). Thus, according to your explanation,
>> >there could be no resource sharing with the LAN PCs, which have IP address in one of the
>> >ranges reserved for private addresses (172.16.xxx.xxx), and thus are on a different subnet.
>> >Perhaps there are some routers that implement DMZ by assigning a private IP address and then
>> >just forwarding ports. I'll check in Comp.Security.Firewalls.
>> >
>> >The beauty of hotmail addresses is that they're disposable. I check the address on this
>> >post just often enough to keep hotmail from disabling the accout -- I don't care what goes
>> >there. On the other hand, it's a real address, which sometimes is necessary to use.
>>
>> With a true DMZ, on an Enterprise LAN, there would be a physically separate
>> network segment, with a router connecting that subnet directly to the office LAN
>> (but with both networks protected by the corporate firewall). That's the
>> purpose of a DMZ, to isolate itself from a vulnerable office network, yet
>> protect itself.
>>
>> I've yet to figure out what the protection of a NAT router DMZ is. As I
>> understand it, a NAT DMZ consists of a single computer, exposed to the world,
>> and directly accessible by the other computers. If your router actually creates
>> a separate subnet, that sounds like a true DMZ. What make and model router is
>> that? Does it have a rule set that restricts traffic between itself and the LAN
>> in general?
>>
>> And thanks for acknowledging your public exposure of your Hotmail account - it's
>> good that you understand the risks. Unfortunately, you're causing a risk to the
>> Internet, as the clueless will see you posting your address and follow your
>> example. And the clueless are those most vulnerable to trojans and worms, and
>> will contribute one more bot to the world botnet population. This will mean
>> still more spam for everybody, as if there isn't already too much.
>For what it's worth, the router in question is a 2Wire HomePortal 1000s. It's a friend's and I
>have no idea why his network is configured the way it is, other than he apprently had great
>difficulty in getting things to work and relied on advice from his ISP's tech support. In my
>experience, ISP tech support often supplies "solutions" that make life easier for the ISP without
>regard for any problems they may cause the individual user, e.g., the univeral solution of
>"re-format and re-install Windows."
>
>According to 2Wire, their implementation of DMZ, which they call "DMZPLUS", still protects the
>exposed computer with stateful packet inspection. See: http://tinyurl.com/8w7ut
>
>To munge or not to munge. That is the question. Suffice it to say that there are differences in
>opinion on this issue, and many posters to the microsoft.public newsgroups, including MS-MVPs,
>post using valid email addresses. [Interestingly enough, I get far more spam at my "real"
>address than at the hotmail address I use to post here. I suspect it's because some of the
>"legitimate" e-tailers whose sites I vist and purchase from sell their customer lists. I wonder
>if anyone's actually done a _recent_ study to determine if the spammers and malware propagators
>continue to use address-harvesting bots or if they find it far easier just to buy a CD with tens
>of thousands of known-good email addresses.]
>Allow All Applications (DMZplus)DMZplus is a special firewall mode that is used for hosting
>applications if you are stillnot able to get an application to operate properly using the "Allow
>individual application(s)" option.When in DMZplus mode, the designated computer: "Shares"
>your Router Address (system's IP address). Appears as if it is directly connected to the
>Internet. Has all of the unassigned TCP and UDP ports opened and pointed to it. Can
>receive unsolicited network traffic from the internetNOTE: Although the DMZplus computer appears
>to Internet users as though it is directly connected to the Internet, it is still protected by
>your system firewall. Alltraffic is inspected by the firewall's Stateful Packet Inspection
>engine and all knownhacker attacks continue to be blocked.Since all filtered traffic is forwarded
>to the designated computer, DMZplus modeshould be used with caution. In most situations, you can
>use the "Allow individualapplication(s)" option to support access from the Internet to
>applications on yournetwork. DMZplus can only be configured for one computer on your home
>network ata time.The Firewall Settings page allows you to enable DMZplus and select which
>computerwill run in DMZplus mode.
Thanks for those details. The DMZ is behind an SPI filter (probably not a full
firewall no matter what 2Wire calls it) (is it ICSA certified?), but is still
directly accessible to the other computers in the LAN. Or is it? Is the DMZ
host physically on a separate subnet (64.252.xxx.xxx) or the main LAN
(172.16.xxx.xxx)? What does "ipconfig /all" on the DMZ host show?
<https://www.icsalabs.com/icsa/main.php?pid=gddfg>
You're dead on about ISP Tech Support. That's one of the functions of these
forums - to fill in the gap between typical first line tech support, and
reality. Maybe you and I can save your friend from trouble, if we work to
understand this.
--
Cheers,
Chuck, MS-MVP [Windows - Networking]
http://nitecruzr.blogspot.com/
Paranoia is not a problem, when it's a normal response from experience.
My email is AT DOT
actual address pchuck mvps org.
.
- References:
- DMZ Question
- From: Lem
- Re: DMZ Question
- From: Chuck
- Re: DMZ Question
- From: Lem
- Re: DMZ Question
- From: Chuck
- Re: DMZ Question
- From: Lem
- DMZ Question
- Prev by Date: Setting up temporary home network
- Next by Date: Re: Two NICS - Windows XP - I don't want any traffic between them
- Previous by thread: Re: DMZ Question
- Next by thread: Re: DMZ Question
- Index(es):
Relevant Pages
|
